[iptables actual combat] 06 iptables network firewall experiment

Others 2023-10-02 17:49:24 views: null

1. Description of current situation

In the previous section, we forwarded the machines on the two network segments through the network of the intermediate machine to achieve interoperability. Let’s review this network connection diagram again

Insert image description here

In this section, we will do some firewall experiments by setting the iptables rules of machine B. Machine
A simulates a server on the public network, and machine C simulates a machine on our intranet. Machine B acts as a router

2. Preconditions

2.1 The firewalld of the three machines is closed to avoid affecting the experiment.

[root@localhost ~]# systemctl stop firewalld && systemctl disable firewalld

2.2 In order not to affect the experimental results, we first clear all the iptables rules of machine B.

[root@localhost ~]# iptables -F
[root@localhost ~]# iptables -nvL
Chain INPUT (policy ACCEPT 239 packets, 29542 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 6 packets, 504 bytes)
 pkts bytes target     prot opt in     out     source               destination

2.3 Install httpd on machine A

Since our host C was initially set up as a hostOnly network and could not connect to the Internet, we connected to the Internet first. Install httpd. Shut down host A first. Add a nat network card
Insert image description here
Insert image description here

The enp0s3 here is the NAT network card. By enabling enp0s3, you can connect to the external network.
You can try to access Baidu with a browser and find that the network is connected.
Install httpd

[root@localhost ~]# yum install httpd
[root@localhost ~]# systemctl restart httpd
[root@localhost ~]# curl -X GET http://localhost

After installing httpd, disable the enp0s3 network card

Insert image description here

2.4 Start the network service of host C

Since the host has been restarted, the routing of C->A needs to be set again.

route add -net 192.168.56.0/24 gw 10.1.0.11

Clear the iptables of host B first to avoid existing rules affecting the experiment
[root@localhost ~]# iptables -F
After clearing the rules of B, you can try to ping A with host C. You can find that it actually works.

3. Connectivity Experiment

First try to see if A and C can ping each other. Under the premise of ensuring smooth network, perform the following operations 3.1: First
deny all forwarding.
Add a default deny rule at the end of the FORWARD chain in host B, and then change "Release" Rule" can be set before this "Default Deny Rule"

[root@localhost ~]# iptables -A FORWARD -j REJECT

At this time, host A and host C can no longer communicate with each other
. A->C cannot ping, but A->B can ping (because there is a switch directly connected).

C->A, ping fails, C->B can ping (because there is a switch directly connected)
3.2 Set host B to forward traffic
If we want to enable internal host C to access the web service of external host A (10.1.0.10) , what should we do? Yes, we need to release web requests from internal hosts to external hosts in the FORWARD chain. We only need to configure the following

iptables -A FORWARD -j REJECT
iptables -I FORWARD -s 10.1.0.0/16 -p tcp --dport 80 -j ACCEPT
iptables -I FORWARD -s 10.1.0.0/16 -p tcp --dport 22 -j ACCEPT
iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

Access host A (192.168.56.104) from host C (10.1.0.10)
curl -X GET http://192.168.56.104:80
and it works

4. Summary

#如果想要iptables作为网络防火墙,iptables所在主机开启核心转发功能,以便能够转发报文。
#使用如下命令查看当前主机是否已经开启了核心转发,0表示未开启,1表示已开启
cat /proc/sys/net/ipv4/ip_forward
#使用如下两种方法均可临时开启核心转发,立即生效,但是重启网络配置后会失效。
方法一:echo 1 > /proc/sys/net/ipv4/ip_forward
方法二:sysctl -w net.ipv4.ip_forward=1
#使用如下方法开启核心转发功能,重启网络服务后永久生效。
配置/etc/sysctl.conf文件(centos7中配置/usr/lib/sysctl.d/00-system.conf文件),在配置文件中将 net.ipv4.ip_forward设置为1
 
#由于iptables此时的角色为"网络防火墙",所以需要在filter表中的FORWARD链中设置规则。
#可以使用"白名单机制",先添加一条默认拒绝的规则,然后再为需要放行的报文设置规则。
#配置规则时需要考虑"方向问题",针对请求报文与回应报文,考虑报文的源地址与目标地址,源端口与目标端口等。
#示例为允许网络内主机访问网络外主机的web服务与sshd服务。

iptables -A FORWARD -j REJECT
iptables -I FORWARD -s 10.1.0.0/16 -p tcp --dport 80 -j ACCEPT
iptables -I FORWARD -d 10.1.0.0/16 -p tcp --sport 80 -j ACCEPT
iptables -I FORWARD -s 10.1.0.0/16 -p tcp --dport 22 -j ACCEPT
iptables -I FORWARD -d 10.1.0.0/16 -p tcp --sport 22 -j ACCEPT

#可以使用state扩展模块,对上述规则进行优化,使用如下配置可以省略许多"回应报文放行规则"。

iptables -A FORWARD -j REJECT
iptables -I FORWARD -s 10.1.0.0/16 -p tcp --dport 80 -j ACCEPT
iptables -I FORWARD -s 10.1.0.0/16 -p tcp --dport 22 -j ACCEPT
iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

Guess you like

Origin blog.csdn.net/suyuaidan/article/details/133500729
Recommended
Ranking
#2019110700005
What materials and procedures are required for patent transfer
What is the blockchain Ethereum triplet state root transaction root receipt root
Front-end study notes 04 --- About the insertion of html pictures and videos
Documents required for the filing of WeChat Mini Programs in special industries, the filing process of WeChat Mini Programs in special industries, how to file WeChat Mini Programs in special industries
2017 Qingdao-site tournament I The Squared Mosquito Coil
[BZOJ3165][HEOI2013]Segment (line segment tree without marking)
Kettle series: KettleEasyExpand, an open source Kettle universal plugin by Ma Jinju
The latest tutorial on making framework for iOS
DAX Section 6: Statistical Functions
Daily
More
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)

Code World

© 2018 codetd.com